So I'm able to map CVE's to packages from the OVAL files , but I'm missing something .
Consider CVE-2015-7559 whose description in com.ubuntu.disco.cve.oval.xml is given as :
<description>It was found that the Apache ActiveMQ client before 5.15.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.</description> which implies activemq x.y.z<5.15.5 are vulnerable to CVE-2015-7559 .
So I digged in the file to see the vulnerable packages for CVE-2015-7559 and I got this :<constant_variable id="oval:com.ubuntu.disco:var:201575590000000" version="1" datatype="string" comment="'activemq' package binaries">
<value>activemq</value>
<value>libactivemq-java</value>
</constant_variable> Nowhere it mentions activemq's versions . This is the case with maximum of the CVEs mentioned here, any pointers on what I might be missing?
This is an excellent use case for community curation and peer review :)
@pombredanne so my previous approach was of using bs4 and extract the data accordingly, but this would require us to craft a new importer for each oval file (for eg red hat's oval schema is different than ubuntu's ) which is impractical. So I had cross out bs4 approach . This issue is bigger than what it seemed to me .
I think we should somehow figure out to use already implemented oval scanner https://github.com/OpenSCAP/openscap/tree/maint-1.3/src/OVAL for our purpose. Apparently they provide an undocumented python api (I am reaching out to openscap folks for help on this one ) https://github.com/OpenSCAP/openscap/blob/maint-1.3/swig/openscap_api.py but I haven't figured out how to use it .
Upon reading the auto-generated documentation http://static.open-scap.org/openscap-1.2/oval__generator_8c.html I believe this repo contains what we need. btw should I add this to the ticket?
@haikoschol re:
with our current data model this information is lost which means a lot of false positives for users on other platforms
we need a ticket then :)
A natural way to handle it for me would be to add a platform qualifier to the impacted package PackageURL
we could reuse all these alright BTW, I do not want to reinvent the wheel
re:
did you try to play with some of the libraries I listed in the ticket beyond the openscap one (which is in C so it comes with its own build issue
Atm no, openscap seemed promising but it seems to require a lot of work to get it working for our purposes.
I was using bs4 for 'prototyping' , using etree is very painful for me but the plan was to move to etree eventually after getting it right in bs4 . Anyways I am looking at trivy-db atm , finally reading some go code .
So after trying all the suggested tools I managed to obtain data in the desired format using https://github.com/kings-way/OVAL2DB , the problem with this tool is we need to work on it to make it python3 compatible .
I also think https://github.com/cjaymes/pyscap might have something useful , I have no idea how to make it work though (no documentation ) . Let me know whether I should dig in deeper , but for the moment
https://github.com/kings-way/OVAL2DB seems good enough .What do you think? Should I explore pyscap or start working on making OVAL2DB python3 compatible?
@haikoschol I have made the requested changes
@sbs2001 thanks! i hope i'll get to review and merge them tonight or tomorrow
btw we need to make changes to npm importer's
get_all_versions()method to prevent the urlopen() issue you talked about.
thanks for pointing that out. i think i can take care of it when i'm done with your PR
@sbs2001 re https://access.redhat.com/hydra/rest/securitydata/cve.json
that sounds great... create or add the details to a ticket
@pombredanne in future we will be adding solutions to every vulnerability right?
Consider vulnerability 'CVE-A' , suppose the advisory from where we get data about 'CVE-A' also contains ways to avoid/fix the 'CVE-A' . Our current vulnerability model has no way for storing these instructions related to prevention of the corresponding vulnerability . Should we add an additional field for storing this data?